I remember this attack. Although it hit TV5 really hard it did not really have a big effect on the global media and only left a bitter aftertaste for West Europeans. It was a “continental” thing and also a denial-of-service type attack that usually only receives attention for as long as its effect lasts. Especially since the attack pattern and the timing matched the terrorist movements and aligned with the cyber offensive strategy of ISIS at that time.

Later studies and investigations suggested that it was only blamed on ISIS but was in fact the work of Russians. While I have my doubts about the “cyber-bear” screenplay, I have to admit that it has always been somewhat unclear what the attackers were really up to.

23 January – 8 April, that’s 75 days, though below the average 200 days that hackers stay undetected in a network, it was still enough for the attackers to craft and build up their offensive. Targeting seven different entry points, including organizations supporting the channel with remote-controlled cameras, suggests good coordination and a solid goal, definitely the work of an organized cyber adversary. While the UK came to the conclusion that it was an attempt to test forms of cyber-weaponry, I believe it was something more. It was to cause confusion and test the reaction and not the weapon itself. I would not just start blaming all that on APT28 (as always). The money behind such an attack must have had an agenda too so I would also not dump the ISIS + cyber criminals combo either, especially since the execution of the final stage of the incident fell on Easter Day. Probably this had more to do with the timing than the launch of TV5’s new channel.

There is one last lesson learnt that needs mentioning.

“We were saved from total destruction by the fact we had launched the channel that day and the technicians were there,” said Mr Bigot. “One of them was able to locate the very machine where the attack was taking place and he was able to cut out this machine from the Internet and it stopped the attack.”

A conglomerate of such high value simply can’t manage without a proper cybersecurity center that can handle incidents like this within minutes if necessary. I can’t explain myself how it could be possible that they were only saved by technicians who were only there by chance, and not a team of IT professionals or even cyber security pros. Everything points towards a missing fully enabled 7×24 SOC (Security Operations Center) here.